|Publication number||US7464256 B2|
|Application number||US 10/572,665|
|Publication date||Dec 9, 2008|
|Filing date||Sep 17, 2004|
|Priority date||Sep 18, 2003|
|Also published as||CN1853162A, EP1665038A1, EP1665038A4, US8533442, US8924699, US20070130452, US20090182995, US20140075543, WO2005026951A1|
|Publication number||10572665, 572665, PCT/2004/1267, PCT/AU/2004/001267, PCT/AU/2004/01267, PCT/AU/4/001267, PCT/AU/4/01267, PCT/AU2004/001267, PCT/AU2004/01267, PCT/AU2004001267, PCT/AU200401267, PCT/AU4/001267, PCT/AU4/01267, PCT/AU4001267, PCT/AU401267, US 7464256 B2, US 7464256B2, US-B2-7464256, US7464256 B2, US7464256B2|
|Inventors||Robert Linley Muir|
|Original Assignee||Aristocrat Technologies Australia Pty. Limited|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (21), Non-Patent Citations (1), Referenced by (14), Classifications (11), Legal Events (3)|
|External Links: USPTO, USPTO Assignment, Espacenet|
The present application claims priority from Provisional Patent Application No. 2003905097 filed on 18 Sep. 2003, the contents of which is incorporated herein by reference.
The present invention relates generally to security in relation to software in gaming machines and in particular the invention provides a method of verifying a BIOS Rom prior to startup of a machine.
U.S. Pat. No. 5,643,086 describes a method of securing a gaming machine such that unapproved software on the mass storage will not be executed. The BIOS chip responsible for booting the system checks the cryptographic digital signature of software it loads from the hard disk (or other device) and only if it is valid will the software be executed. It is possible to tamper with this system by modifying the software in the BIOS to eliminate the digital signature checking. This modification could be detected if the gaming machine is examined in detail, though this is not suggested in the prior art document.
Gaming regulations typically require that BIOS chips be socketed, so that regulators are able to easily verify the contents of the memory and detect such illegal tampering. However this does make it very easy to illegally modify the BIOS.
The use of custom hardware can protect against such BIOS modifications, but prevents the use of industry standard hardware, such as PC's. A smartcard for example is easily able to implement secure program memory.
The Microsoft X-BOX Game console is based on standard PC technology, with some modifications. One of the security mechanisms is to boot the CPU from a small ROM embedded in the customised graphics controller, which is then responsible for authenticating the remaining BIOS software. The BIOS then goes on to provide security for the rest of the loading process. It is not feasible to tamper with the code in the custom graphics chip, and hence in theory provides a high level of security, however it is very difficult and expensive to customise such a significant part of the PC architecture.
U.S. Pat. No. 4,862,156 to Atari for a “Video Computer System” (a home game console) describes a security system in which digital signature authentication is performed on console games. If the check fails, part of the functionality of the console is disabled. Only if authentication passes is full functionality enabled.
U.S. Pat. No. 6,071,190 describes a method of improving the security off a gaming machine, and verifying the stored program therein. The security depends security of the BIOS.
U.S. Patent application No. 20030064771 “Reconfigurable Gaming Machine” describes a gaming machine in which security again is dependant on the BIOS. U.S. Pat. No. 5,802,592 “System and Method for Protecting Integrity of Alterable ROM using Digital Signature” describes a system into which the BIOS is partitioned into alterable and unalterable parts. The CPU first executes the unalterable BIOS, which authenticates the alterable part. This system protects against tampered software in the alterable BIOS, but not against modifications to the unalterable BIOS (for example if it is physically replaced).
U.S. Pat. No. 5,844,986 “Secure BIOS” describes a system in which BIOS updates are cryptographically controlled, such that only authentic updates can be written to the BIOS memory.
U.S. Pat. No. 6,488,581 describes device for protecting a mass storage device (eg disk drive) against modification by filtering out unauthorised commands to the device.
US Government standard FIPS 140-1 “Security requirements for Cryptographic modules” describes, in section “4.11.1 Power-Up Tests” software/firmware tests in which software/firmware residing in a cryptographic module is cryptographically authenticated at power up. The same technique is used in gaming machines (e.g. U.S. Pat. No. 5,643,086), but is more secure due the physical security of the cryptographic module—i.e. it is not physically possibly to tamper with the boot program.
Each of these prior art arrangements either relies on the BIOS being secure or uses a non-standard hardware configuration that is incompatible with a standard PC hardware configuration.
U.S. Pat. No. 6,401,208 “Method for BIOS authentication prior to BIOS execution” by Intel Corp., describes a method of BIOS protection that results in a similar outcome to the arrangement of the present invention, however the method of achieving that result is quite different and more complex than that now proposed. The Intel proposal relies on a special modified mother board chip set and a processor which employs an op-code emulation bit to allow a data fetch to be disguised as an instruction fetch. This approach may not be accessible by smaller dedicated application developers, or at least, not at a reasonable cost.
The Trusted Computing Platform Alliance (TCPA) is a group of companies in the computing industry promoting new hardware/software extensions to the PC to enable more secure computing and digital rights management (DRM). TCPA enables an external computer to determine the exact software configuration of a PC. It is not required that the PC must boot particular software, only that the software that it does boot can be determined externally. While ideal for network connected DRM, as it lets a content provider permit downloads only to suitably configured machines, it is not sufficient for a gaming machine which should never be permitted to execute non-approved software, and is often not even connected to a network. Further the security of TCPA rests in part on the security of the BIOS against tampering, and this is not secure in the current PC standard. Securing the BIOS from tampering would require more extensive changes to the PC architecture standard. (“Trusted Computing Platforms TCPA Technology In Context”, ISBN 0-13-009220-7).
Throughout this specification the word “comprise”, or variations such as “comprises” or “comprising”, will be understood to imply the inclusion of a stated element, integer or step, or group of elements, integers or steps, but not the exclusion of any other element, integer or step, or group of elements, integers or steps.
Any discussion of documents, acts, materials, devices, articles or the like which has been included in the present specification is solely for the purpose of providing a context for the present invention. It is not to be taken as an admission that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention as it existed before the priority date of each claim of this application.
According to a first aspect, the present invention provides a processing system comprising a central processor, a BIOS memory device and a BIOS protection device interconnected by address and data paths, wherein at start-up, the BIOS protection device takes control of the memory address and data paths and prevents execution of a boot program stored in the BIOS memory device until the BIOS protection device has verified that the boot program stored in the BIOS memory device is authentic.
According to a second aspect, the present invention provides a method of authenticating a boot program held in a BIOS memory device of a processing system comprising a central processor, the BIOS memory device and a BIOS protection device interconnected by address and data paths, the method comprising the steps of:
1) at start-up, the BIOS protection device temporarily prevents execution of the boot program by the central processor;
2) the BIOS protection device takes control of the address and data paths;
3) the BIOS protection device interrogates the contents of the BIOS memory device to establish if the contents are authenticated;
4) if the contents of the BIOS memory device are not authentic, the BIOS protection device continues to prevent execution of the boot program and prevents further operation of the central processor; and
5) if the contents of the BIOS memory device are authentic, the BIOS protection device relinquishes control of the address and datapaths and allows the central processor to execute the boot program in the BIOS memory device.
According to a third aspect, the present invention provides a BIOS protection device for connection to a processing system between a central processor and a BIOS memory device containing a boot program, the BIOS protection device including address and data path interface connection means, and an authentication processor whereby, when power is applied to the BIOS protection device, the BIOS protection device takes control of address and data path(s) to which it is connected and the authentication processor interrogates the BIOS memory device connected to the address and data path(s) to determine if the boot program contained in the BIOS memory device is authentic, and only if the boot program is determined to be authentic does the BIOS protection device release control of the address and data path(s) to permit the central processor to execute the boot program.
In various embodiments of the invention, different address and data path interfaces may be used including serial interfaces, totally non-multiplexed buses, the Intel™ Low Pin Count (LPC) bus structure and various intermediate solutions, depending on other components used on the motherboard. The motherboard may use standard PC architecture or may be a non-PC configuration.
Preferably, the BIOS device includes a cryptographic digital signature located at a known location in the BIOS memory device and the BIOS protection device calculates the value of the signature (from the BIOS data and internal public key) and interrogates the BIOS to verify that the correct signature is present and corresponds with the boot program (or, a part thereof) stored in the BIOS device.
In one embodiment, the BIOS protection device also contains an internal memory device and while authenticating the BIOS contents, the BIOS protection device copies part of the BIOS memory device contents to the internal memory device and subsequently controls the address and data path(s) to bypass the BIOS device when the central processor attempts to access the copied part of the BIOS memory device contents.
Preferably at least one signal line of the motherboard is interrupted by the BIOS protection device such that the motherboard is inoperative if the BIOS protection device is not present. In one preferred embodiment of the invention, the reset control circuit is provided in the BIOS protection device such that the board cannot exit the reset state if the BIOS protection device is not present.
Preferably also, the BIOS protection device will hold the reset signal in the reset (or, disabled) state while the authentication of the BIOS is performed. When the authentication is successful, the BIOS protection device releases the reset signal allowing the central processor to commence operation. In an alternative embodiment, the BIOS protection device inserts wait cycles to disable the central processor while authenticating the BIOS memory device.
Embodiments of the invention will now be described, by way of example, with reference to the accompanying drawings in which:
It is unlikely that BIOS security of the type required by gaming applications and other sensitive applications will be built into the PC standard in the near future, because there is no real need for it in most applications. Hence the only way to get this level of security is to customise the PC standard, and the embodiments of the present invention described below achieve this in a relatively inexpensive manner.
A PC is not designed for security and security against BIOS modification has not been a concern for the mainstream PC market. Prior to this invention the only way to incorporate this level security was by directly incorporating it into the chips which make up the PC, as was done with the Microsoft X-BOX. It is not feasible for a niche industry user to influence the PC industry to incorporate BIOS security into the PC standard, or to go to the expense of modify existing PC standard chips.
Embodiments of the invention are described below with reference to gaming machines, however embodiments may also be useful in other fields where a higher level of security is required, while using standard commercial designs. An example might be ATM machines used in the banking industry. It would also be useful in implementing TCPA without making significant changes to the PC architecture standard.
After power on, the protection device enters the verification mode where it verifies the contents of the BIOS. While in verification mode the authenticator 21 within the protection device asserts the reset line 23 to hold the rest of the motherboard in reset while the BIOS is being interrogated and to provide enhanced security in the event that authentication fails. Alternately, to prevent malfunction, instead of using the reset function, the protection device can insert wait cycles into external BIOS access until authentication is successfully completed. While in reset the multiplexer circuit 22 routes the address from the authenticator to the output and hence BIOS 18, allowing the authenticator to read the contents of the BIOS from the LPC bus 16/25. After authentication has been successful and reset is negated, the multiplexer routes the address from the ICH4 14 to the BIOS 18, allowing the CPU 11 to read the BIOS 18. The external circuit used would be similar to that shown in
In normal operation, after the BIOS has been successfully authenticated, the protection device is transparent to the operation of the standard ICH4 and BIOS devices, and has no effect on the functions of the motherboard. Standard software verification techniques can then be used to provide further protection for the application software running on the processor.
To authenticate the BIOS, the BIOS protection device 17 reads the contents of the BIOS chips 18 and verifies that the contents are valid against a cryptographic digital signature embedded in the BIOS at a known location. The public key of the signature is stored in the authenticator 21 of the BIOS protection device 17 where it cannot be tampered with. If the BIOS is successfully authenticated the BIOS protection device moves to it's transparent mode of operation and releases the reset and enables any extra functionality provided within the protection device. If authentication fails the BIOS protection device enters the error mode, where access to the BIOS is disabled, the system remains in reset, and any extra functions of the protection chip are disabled.
Therefore even in a physical arrangement where it is easy to access and modify the contents of the BIOS, security is preserved.
The arrangement described above, allows industry standard designs to be easily enhanced to support a much stronger level of security against tampering. A single security device can be used to protect multiple different boards, requiring only that the board's memory interface be supported.
With the arrangement described above, while it would still be possible to tamper with the BIOS by replacing the protection device with a substitute circuit that did not have protection, this is much more difficult than simply removing a socketed BIOS device as is possible with existing systems.
The protection device may incorporate further unrelated functions of the board, such that if it were removed it would be difficult to duplicate it's functions. Preferably these functions would be necessary to the operation of the board, and are disabled if the BIOS verification fails. Hence the protection device cannot be easily replaced by a simple circuit without the protection feature as this would require that the extra functions must also be duplicated. In a simple example the reset control circuit for the board is implement in the protection device, and any replacement device would have to replicate the reset function for the motherboard to operate.
To make tampering even more difficult, the protection device should be soldered directly to the circuit board, such that it is difficult to remove. Although it is possible to remove when it is soldered in, it is relatively time consuming and risks damage to the board, and is therefore expensive and/or increases the chance of detection.
In another example, a gaming machine such as the Aristocrat Technologies Mk6 product uses EPROM to store the game. Referring to
Referring to the block diagram of
In gaming applications regulators often require that memory devices are not capable of being updated in the gaming product, but many modem systems are capable of electronic updating of the BIOS. The protection devices 17, 32 need not affect the operation of BIOS firmware update, but if required, firmware updating can easily be disabled by arranging the protection devices 17, 41 to not pass updates to the BIOS 18, 33.
Protected Program Storage
One possible attack on the security provided by a protection device of the type described above, is to provide an external circuit with two BIOS's, an authentic original and a tampered version. While the protection device 17, 41 authenticates the BIOS (and the board is held in reset) the authentic BIOS is enabled into the circuit, and when the board is not reset the tampered version is enabled instead. Thus the protection device authenticates one device and the CPU executes the other. While such an attack would be difficult to perform undetected, it is theoretically possible.
The board is held in reset by asserting the RESET signal 38, while the authenticator 41 reads the BIOS EPROM 18, 33 by asserting the OE_OUT signal 39 and reading data via the DATA_IN bus 36, while at the same time writing the read EPROM data to the protected program storage memory 52. When the reset signal 38 is asserted the address multiplexer 42 selects the address 34 a from the authenticator 41 to be output allowing the authenticator 42 to read the BIOS device 18, 33, while when reset signal 38 is negated the multiplexer 42 selects the address 34 from the main CPU 11, allowing the CPU to read the BIOS 18, 33. Once the authenticator 41 has successfully authenticated the BIOS data the RESET signal 38 is negated to enable normal operation of the CPU 11. Data out 36 b to the CPU 11 passes through a tri-state buffer 57 which is enabled by the OE_IN signal 56 from the CPU 11, while t he OE_OUT signal 39 is always generated by the authenticator 41 because all reads to the BIOS 18, 33 are initiated via the protection device 51.
Ideally the entire contents of the BIOS 18, 33 will be authenticated and stored in the internal memory 52, however BIOS chip capacity is quite large and may be expensive to duplicate. To save cost a subset of the BIOS may be authenticated by the BIOS protection device 51, and the software in authenticated portion of the BIOS is responsible for authenticating the remaining part of the BIOS using cryptographic digital signatures when executed by the CPU 11. The authenticated subset is sufficient to authenticate and load the remaining BIOS into the computers main memory, from which it then executes.
Prior to successful authentication the data bus to the CPU may be disabled to make it more difficult to tamper with the circuit. The data bus is not necessarily tri-state, since tampering with a driven data pattern is more difficult to tamper with than a tri-state bus.
It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the invention as shown in the specific embodiments without departing from the spirit or scope of the invention as broadly described. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US4862156||May 21, 1984||Aug 29, 1989||Atari Corporation||Video computer system including multiple graphics controllers and associated method|
|US5643086||Jun 29, 1995||Jul 1, 1997||Silicon Gaming, Inc.||Electronic casino gaming apparatus with improved play capacity, authentication and security|
|US5802592||May 31, 1996||Sep 1, 1998||International Business Machines Corporation||System and method for protecting integrity of alterable ROM using digital signatures|
|US5844986||Sep 30, 1996||Dec 1, 1998||Intel Corporation||Secure BIOS|
|US5937063 *||Sep 30, 1996||Aug 10, 1999||Intel Corporation||Secure boot|
|US6071190||May 21, 1997||Jun 6, 2000||Casino Data Systems||Gaming device security system: apparatus and method|
|US6263431 *||Dec 31, 1998||Jul 17, 2001||Intle Corporation||Operating system bootstrap security mechanism|
|US6401208 *||Jul 17, 1998||Jun 4, 2002||Intel Corporation||Method for BIOS authentication prior to BIOS execution|
|US6488581||Jun 22, 1999||Dec 3, 2002||Igt||Mass storage data protection device for a gaming machine|
|US6564326 *||Oct 24, 2001||May 13, 2003||Walter A. Helbig, Sr.||Method and apparatus for enhancing computer system security|
|US6625730||Mar 31, 2000||Sep 23, 2003||Hewlett-Packard Development Company, L.P.||System for validating a bios program and memory coupled therewith by using a boot block program having a validation routine|
|US6735696 *||Aug 14, 1998||May 11, 2004||Intel Corporation||Digital content protection using a secure booting method and apparatus|
|US6889341 *||Jun 28, 2002||May 3, 2005||Hewlett-Packard Development Company, L.P.||Method and apparatus for maintaining data integrity using a system management processor|
|US7073064 *||Mar 31, 2000||Jul 4, 2006||Hewlett-Packard Development Company, L.P.||Method and apparatus to provide enhanced computer protection|
|US20010007131||Sep 11, 1997||Jul 5, 2001||Leonard J. Galasso||Method for validating expansion roms using cryptography|
|US20020004905||Jul 17, 1998||Jan 10, 2002||Derek L Davis||Method for bios authentication prior to bios execution|
|US20030064771||Sep 28, 2001||Apr 3, 2003||James Morrow||Reconfigurable gaming machine|
|US20040003322||Jun 28, 2002||Jan 1, 2004||Collins David L.||Method and apparatus for maintaining data integrity using a system management processor|
|US20050014559 *||Jul 16, 2003||Jan 20, 2005||Igt||Secured verification of configuration data for field programmable gate array devices|
|WO2000010283A1||Aug 10, 1999||Feb 24, 2000||Eric C Hannah||Digital content protection using a secure booting method and apparatus|
|WO2001059564A2||Jan 4, 2001||Aug 16, 2001||Andrew H Gafken||Protected boot flow|
|1||Trusted Computing Platforms TCPA Technology in Context, Pearson, Editor, 2003 by Hewlett-Packard Company ISBN 0-13-009220-7.|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US8060732 *||Apr 13, 2007||Nov 15, 2011||Stmicroelectronics (Research & Development) Limited||Multiple purpose integrated circuit|
|US8332916 *||Feb 26, 2009||Dec 11, 2012||Hitachi, Ltd.||User identification system and a method thereof|
|US8533442 *||Sep 19, 2008||Sep 10, 2013||Aristocrat Technologies Australia Pty Ltd.||BIOS protection device|
|US8661406 *||Aug 2, 2012||Feb 25, 2014||Alan Joshua Shapiro||Method and system for software delivery|
|US8924699 *||Aug 27, 2013||Dec 30, 2014||Aristocrat Technologies Australia Pty Ltd||BIOS protection device|
|US8961292 *||Feb 25, 2008||Feb 24, 2015||Wms Gaming, Inc.||System for managing wagering game content|
|US9122492||Oct 25, 2011||Sep 1, 2015||Wms Gaming, Inc.||Bios used in gaming machine supporting pluralaties of modules by utilizing subroutines of the bios code|
|US20070283140 *||Apr 13, 2007||Dec 6, 2007||Stmicroelectronics (Research & Development) Limited||Multiple purpose integrated circuit|
|US20080320311 *||Dec 27, 2007||Dec 25, 2008||Samsung Electronics Co.||Apparatus and method for authenticating firmware|
|US20090182995 *||Jul 16, 2009||Aristocrat Technologies Australia Pty Limited||Bios protection device|
|US20100011423 *||Feb 26, 2009||Jan 14, 2010||Yoshiaki Isobe||User identification system and a method thereof|
|US20100081509 *||Feb 25, 2008||Apr 1, 2010||Wms Gaming, Inc.||System for managing wagering game content|
|US20110078430 *||Mar 31, 2011||Mccoull James Ross||Gaming machine having a secure boot chain and method of use|
|US20120297378 *||Aug 2, 2012||Nov 22, 2012||Alan Joshua Shapiro||Method and system for software delivery|
|U.S. Classification||713/1, 713/193, 713/189|
|International Classification||G06F9/00, H04L9/00, G06F9/445|
|Cooperative Classification||G06F21/572, G06F21/575, G06F21/44|
|European Classification||G06F21/57A, G06F21/57B|
|Sep 30, 2008||AS||Assignment|
Owner name: ARISTOCRAT TECHNOLOGIES AUSTRALIA PTY LTD., AUSTRA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MUIR, ROBERT LINLEY;REEL/FRAME:021609/0261
Effective date: 20060222
|May 9, 2012||FPAY||Fee payment|
Year of fee payment: 4
|Jan 16, 2015||AS||Assignment|
Owner name: UBS AG, STAMFORD BRANCH, CONNECTICUT
Free format text: PATENT SECURITY AGREEMENT;ASSIGNOR:ARISTOCRAT TECHNOLOGIES AUSTRALIA PTY LIMITED;REEL/FRAME:034777/0498
Effective date: 20141020